0 Replies Latest reply on Jul 9, 2004 9:35 AM by Sverker Abrahamsson

    A small description on how to avoid "No trusted certificate

    Sverker Abrahamsson Novice

      since I need to do EJB calls and access JMS queues through a firewall I started with setting it up to use http as bearer and that was quite simple but when I tried to turn on https I had major problems. The instructions in the AdminDevel book was for Tomcat 4 but it was not hard to figure out how to do it with tomcat 5 (uncomment the appropriate part in server.xml) and so I got it up and running.

      When trying to connect however I kept on getting an Exception thrown from the client with message "No trusted certificate found". The JBoss doc doesn't mention that since the generated certificate is not signed by a trusted certificate authority, it has to be imported into the jvm cacert keystore. That is accomplished like this:

      Export the certificate from https.keystore:
      keytool -export -v -rfc -alias https -file https.cert -keystore c:\java\jboss-3.2.5\server\default\conf\https.keystore

      Import it into cacerts:
      keytool -import -v -trustcacerts -alias my.hostname.com -file https.cert -keystore c:\java\j2sdk1.4.2_04\jre\lib\security\cacerts

      I used the hostname as alias to be able to keep track of it. The default password of cacerts is "changeit".

      However, then I started to get exceptions with message "HTTPS hostname wrong: should be <my.hostname.com>". That puzzled me quite a bit since I couldn't find it mentioned anywhere in the JBoss doc and at Sun's javaforums I only found descriptions about how to workaround it programatically.

      After much of pondering I recalled that the common name of the certificate have to be the hostname. I.e. when generating a key with keytool, when it asks for your first name and last name, write the hostname as first name and leave last name empty. Then the certificate will be correct.

      I hope this can be helpful for those of you struggeling with the same problem.